diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 70f240c..c1a806f 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -37,6 +37,7 @@ allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read wr allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; +allow snort_t self:socket create_socket_perms; # Snort IPS node. unverified. allow snort_t self:netlink_firewall_socket { bind create getattr }; @@ -59,6 +60,7 @@ kernel_read_kernel_sysctls(snort_t) kernel_read_sysctl(snort_t) kernel_list_proc(snort_t) kernel_read_proc_symlinks(snort_t) +kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) corenet_all_recvfrom_unlabeled(snort_t) @@ -76,6 +78,9 @@ corenet_tcp_connect_prelude_port(snort_t) dev_read_sysfs(snort_t) dev_read_rand(snort_t) dev_read_urand(snort_t) +# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon +# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? +dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t)